Fix Weave Terminal Connection Issues After WatchGuard Firewall Replacement

draft · network dnsfirewallweave

Generated by docuprocessor (prompt article/v3) · 2026-04-22 08:27

Source thread

thread_id: spaces/AAAA05BdS6s/threads/B2Usfqi9rxg · 26 msgs · first 2024-06-28 · participants: Tech ATech BTech CTech D

Tech A 2024-06-28 20:29

@all Hey Guys, I would like to raise a concern about Advanced Dentristry office, the firewall was recently changed and since that day some stuff are not connecting at all, I have connected some of them, but I am having issues with the weave terminal, using the main wifi is showing is connected in the terminal but is offline in the weave app, however If connect it to the guest wifi, I got it connect but in weave app it gives me an error message that cannot connect with the reader. The exception is already made for weave IPs and Stripe domains, but no luck, see the error below:

Tech A 2024-06-28 20:30

(no text)

image/png image.png

Three sequential screenshots show a **Stripe terminal Connection Error** dialog. The error message reads: *"Could not communicate with the Reader"* with error code **`reader_error`**. Network diagnostics show **Host IP: 192.168.1.157** and **Terminal IP: 192.168.1.107**; both **Subnet Match** and **Local IP Resolution** tests passed (green checkmarks), with DNS servers **4.4.2.2** and **192.168.1.250** in use, and a visible gateway of **192.168.1.1**.

Tech A 2024-06-28 20:31

I monitored the traffic when trying to connect with the terminal using the weave app and there is an access denied with 192.168.1.107 using the port 53

Tech A 2024-06-28 20:31

(no text)

image/png image.png

The image shows a **WatchGuard Firebox firewall log** with timestamped entries from **2024-06-28 at 14:05**. The majority of entries are **"Deny"** actions (shown in red/orange) with traffic classified as **"Trusted Firebox Denied"** and error code **"Unhandled Internal Packet-00"**, involving internal IP addresses in the **192.168.1.x** range communicating over **dns/udp** on port **53**, with one **"Allow"** entry (shown in green) permitting **HTTPS/tcp** traffic to **3.215.124.225** on port **443** via **ProxyAllow: HTTPS Request categories (HTTPS-proxy-00)**. One highlighted entry (blue background) at **14:05:20** shows a deny for **192.168.1.107** on port **50710/53**, and a separate entry shows a **853/tcp** denial on port **40449**.

Tech B 2024-06-28 20:32

there are KBs on Weave website as well as onours how to tweak WG to work with Weave.

Tech B 2024-06-28 20:33

make sure the steps were followed correctly

Tech C 2024-06-28 20:35

https://www.weavehelp.com/hc/en-us/articles/360060849832-Configuration-for-Watchguard-System-Manager-WSI-Firewalls

Tech C 2024-06-28 20:35

Recently when I try to go to our KB website it tells me the site it under maintenance. You guys have that issue?

Tech B 2024-06-28 20:43

@Anthony

image/png image.png

The image shows a web-based **Apps dashboard** containing 10 application tiles: Google Chat, Gmail, Google Calendar, Bitrix CRM, 3CX, Google Cloud, LogMeIn, Splashtop, Watchguard Cloud, and Wiki. The **Wiki** app tile (displaying a stacked-layers icon) is highlighted with a red circle. No error codes, numeric readouts, or diagnostic indicators are present.

Tech C 2024-06-28 20:52

Is that your google workspace? mine looks different

image/png image.png

This is a Google Workspace app launcher page, not technical equipment imagery. The screen displays the message **"Google Workspace is managed by your administrator"** at the top. Visible apps include standard Google Workspace tools (Calendar, Gmail, Docs, Sheets, Slides, Drive, Meet, Chat, Forms, Sites, Keep, Jamboard, Cloud Search, Google Contacts, Groups for Business) as well as third-party apps: **Full Screen for Google Tasks™**, **TasksBoard for Google Tasks**, and **draw.io**.

Tech B 2024-06-28 20:53

no Company's profile

image/png image.png

The screenshot shows a Google Chrome browser with a Google Workspace app launcher menu open, belonging to the organization **"DENTAL HI-TECH MANAG..."**. A red arrow annotation points from the grid/launcher icon in the toolbar down to the **"My Apps"** menu option, which is highlighted in light blue. The menu also displays options for **Refresh**, **Help**, and **Sign out**, along with a **Search apps** field and a settings gear icon.

Tech C 2024-06-28 20:58

Can you share the doc with me?

Tech B 2024-06-28 20:59

its not a doc. its your microsoft single sign-on page

image/png image.png

**Microsoft MyApplications Portal (myapplications.microsoft.com)** is displayed in a browser. The Apps Dashboard shows 10 configured SSO-linked applications: **Google Chat, Gmail, Google Calendar, Bitrix CRM, 3CX, Google Cloud, LogMeIn, Splashtop, Watchguard Cloud, and Wiki**. The URL bar is highlighted with a red oval, likely indicating this as the navigation reference point for the portal.

Tech C 2024-06-28 21:00

I did it

Tech C 2024-06-28 21:00

Thanks

Tech C 2024-06-28 21:01

I had it bookmarked

Tech C 2024-06-28 21:01

I dont remember doing this

Tech B 2024-06-28 21:01

dont remember doing what?

Tech C 2024-06-28 21:01

Bookmarking the page

Tech C 2024-06-28 21:01

Means I used it before

Tech B 2024-06-28 21:02

its not u but Alex.

Tech C 2024-06-28 21:02

Tech B 2024-06-28 21:02

but you can add your own links there as well.

Tech B 2024-06-28 21:02

(no text)

image/png image.png

This is a Microsoft 365 (Azure AD / Entra ID) **Apps Dashboard** interface showing a dropdown menu triggered by the **"Add apps"** button, revealing two options: **"Add a site"** and **"Request new apps."** The dashboard displays **10 application tiles**: Google Chat, Gmail, Google Calendar, Bitrix CRM, 3CX, Google Cloud, LogMeIn, Splashtop, Watchguard Cloud, and Wiki. Additional interface controls visible include **"Create collection," "Customize view,"** and a **"Settings"** gear icon in the upper/side panel.

Tech C 2024-06-28 21:03

gotcha

Tech D 2024-07-01 15:39

The issue at this office is now resolved. Basic routers can point to itself as primary DNS but watchguard cannot. Once I went to the server DNS section, I noticed there was primary DNS 192.168.1.1 so removing that and this change fixed all the issues they were having with CC machine, sonos, itero, etc. The reason why it became a problem after watchguard replacement is probably because the firewall didn't have all the subscription services on such as intrusion prevention, web blocker that use the proxies that cause this DNS issue to begin with since all traffic is filtered and only then allowed out to the internet.

---
title: "Fix Weave Terminal Connection Issues After WatchGuard Firewall Replacement"
category: network
tags: ["dns", "firewall", "weave"]
source_thread_id: "spaces/AAAA05BdS6s/threads/B2Usfqi9rxg"
source_space: "spaces/AAAA05BdS6s"
generated_at: "2026-04-22T08:27:21"
participants: ["Tech A", "Tech B", "Tech C", "Tech D"]
---

# Fix Weave Terminal Connection Issues After WatchGuard Firewall Replacement

## Problem

After a WatchGuard firewall replacement at a client office, multiple devices including Weave terminals, CC machines, Sonos, and iTero scanners lost connectivity. The Weave terminal showed as connected to the main WiFi but appeared offline in the Weave app. When connected to guest WiFi, the terminal connected but displayed a "Could not communicate with the Reader" error with code `reader_error`. Firewall logs showed DNS traffic from the terminal (IP 192.168.1.107) being denied on port 53, with "Trusted Firebox Denied" and "Unhandled Internal Packet-00" errors. Network diagnostics confirmed subnet match and local IP resolution were working, but the terminal could not establish proper communication with the Weave service.

## Resolution

1. Access the WatchGuard firewall configuration interface
2. Navigate to the server DNS section
3. Remove any self-referencing DNS entries where the firewall points to itself (192.168.1.1) as the primary DNS server
4. Configure proper external DNS servers instead of allowing the firewall to reference itself
5. Save and apply the configuration changes

The root cause was that WatchGuard firewalls cannot properly handle pointing to themselves as primary DNS, unlike basic routers. The issue became apparent after the firewall replacement because the new WatchGuard had subscription services like intrusion prevention and web blocker enabled, which use proxies that filter all traffic before allowing internet access. This proxy filtering conflicts with self-referencing DNS configuration.

## References

- Source discussion: `spaces/AAAA05BdS6s/threads/B2Usfqi9rxg`
- Attachments:
  - ![image.png](../attachments/B2Usfqi9rxg.LxPf5RZejw8/image.png) — The screenshot shows a Google Chrome browser with a Google Workspace app launcher menu open, belonging to the organization **"DENTAL HI-TECH MANAG..."**. A red arrow annotation points from the grid/launcher icon in the toolbar down to the **"My Apps"** menu option, which is highlighted in light blue. The menu also displays options for **Refresh**, **Help**, and **Sign out**, along with a **Search apps** field and a settings gear icon.
  - ![image.png](../attachments/B2Usfqi9rxg.MhpEYRXAOWw/image.png) — Three sequential screenshots show a **Stripe terminal Connection Error** dialog. The error message reads: *"Could not communicate with the Reader"* with error code **`reader_error`**. Network diagnostics show **Host IP: 192.168.1.157** and **Terminal IP: 192.168.1.107**; both **Subnet Match** and **Local IP Resolution** tests passed (green checkmarks), with DNS servers **4.4.2.2** and **192.168.1.250** in use, and a visible gateway of **192.168.1.1**.
  - ![image.png](../attachments/B2Usfqi9rxg.P9XbDtUbwTc/image.png) — The image shows a **WatchGuard Firebox firewall log** with timestamped entries from **2024-06-28 at 14:05**. The majority of entries are **"Deny"** actions (shown in red/orange) with traffic classified as **"Trusted Firebox Denied"** and error code **"Unhandled Internal Packet-00"**, involving internal IP addresses in the **192.168.1.x** range communicating over **dns/udp** on port **53**, with one **"Allow"** entry (shown in green) permitting **HTTPS/tcp** traffic to **3.215.124.225** on port **443** via **ProxyAllow: HTTPS Request categories (HTTPS-proxy-00)**. One highlighted entry (blue background) at **14:05:20** shows a deny for **192.168.1.107** on port **50710/53**, and a separate entry shows a **853/tcp** denial on port **40449**.
  - ![image.png](../attachments/B2Usfqi9rxg.VvT4f8Jnu78/image.png) — The image shows a web-based **Apps dashboard** containing 10 application tiles: Google Chat, Gmail, Google Calendar, Bitrix CRM, 3CX, Google Cloud, LogMeIn, Splashtop, Watchguard Cloud, and Wiki. The **Wiki** app tile (displaying a stacked-layers icon) is highlighted with a red circle. No error codes, numeric readouts, or diagnostic indicators are present.
  - ![image.png](../attachments/B2Usfqi9rxg.kkAccewU0hQ/image.png) — This is a Google Workspace app launcher page, not technical equipment imagery. The screen displays the message **"Google Workspace is managed by your administrator"** at the top. Visible apps include standard Google Workspace tools (Calendar, Gmail, Docs, Sheets, Slides, Drive, Meet, Chat, Forms, Sites, Keep, Jamboard, Cloud Search, Google Contacts, Groups for Business) as well as third-party apps: **Full Screen for Google Tasks™**, **TasksBoard for Google Tasks**, and **draw.io**.
  - ![image.png](../attachments/B2Usfqi9rxg.tWcWKmyAKD0/image.png) — **Microsoft MyApplications Portal (myapplications.microsoft.com)** is displayed in a browser. The Apps Dashboard shows 10 configured SSO-linked applications: **Google Chat, Gmail, Google Calendar, Bitrix CRM, 3CX, Google Cloud, LogMeIn, Splashtop, Watchguard Cloud, and Wiki**. The URL bar is highlighted with a red oval, likely indicating this as the navigation reference point for the portal.
  - ![image.png](../attachments/B2Usfqi9rxg.uGxwz_U2FlU/image.png) — This is a Microsoft 365 (Azure AD / Entra ID) **Apps Dashboard** interface showing a dropdown menu triggered by the **"Add apps"** button, revealing two options: **"Add a site"** and **"Request new apps."** The dashboard displays **10 application tiles**: Google Chat, Gmail, Google Calendar, Bitrix CRM, 3CX, Google Cloud, LogMeIn, Splashtop, Watchguard Cloud, and Wiki. Additional interface controls visible include **"Create collection," "Customize view,"** and a **"Settings"** gear icon in the upper/side panel.

Generated article

draft